Cookie-based Advertising

Agenda:
1. Cookie and privacy concerns
2. Advertisers analyse cookies, sometimes (on Ad Networks)
3. Surprise Class activity and Q&A speaker (7PM-7.45PM)
Life of a Cookie
• In 2016, the cookie turned twenty
• It may have crumbled too.
• A proper specification for a cookie – with some safeguards – came only 2011

• ‘Virtual Shopping Cart’ that Netscape browser premiered

• Stateful Vs Stateless Vs Super-Cookie (HTTPS, Private Browsing)
• "stateful – keep track of the previously stored information which is used for current transaction.
• stateless – every transaction is performed as if it were being done for the very first time. There is no previously stored information used for the current transaction.
• Stateful means the computer or program keeps track of the state of interaction, usually by setting values in a storage field designated for that purpose.
• Stateful and stateless are adjectives that describe whether a computer or computer program is designed to note and remember one or more preceding events in a given sequence of interactions with a user, another
computer or program, a device, or other outside element. Stateful means the computer or program keeps track of the state of interaction, usually by setting values in a storage field designated for that purpose.
Stateless means there is no record of previous interactions and each interaction request has to be handled based entirely on information that comes with it
• Super Cookie: A supercookie is a type of tracking cookie inserted into an HTTP header by an internet service provider (ISP) to collect data about a user's internet browsing history and habits. Also known as a Unique
Identifier Header, a supercookie isn't technically an HTTP cookie, but rather information injected into packets sent from a user's device and the service it connects to.
• Supercookies can be used to collect a wide array of data on users' personal internet browsing habits including the websites users visit and the time they visit them. It does not matter which browser is being used or if
users switch browsers. Supercookies can also access information collected by traditional tracking cookies -- including login information, cached images and files and plug-in data -- and store that information even after
the traditional cookie has been deleted. Each supercookie can get as large as 100 KB.
• An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with the next request to the same server. Typically, it's
used to tell if two requests came from the same browser — keeping a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol.

• Purpose of cookies:
• Session Management’
• Personalization
• Tracking

• Advertising’s big issue is with third-party cookies

• The relatively harmless types are: session cookies, which track your site experience – the clickstream
• Information transmission from the cookie occurs at 1. website – or, 2. resources owned by the website (e.g. Ads)
Cookie and User-Tracking
• Hence the dual-use technology of Tracking Cookies:
• Track what user surfs
• Use state information to avoid repeated log-ons – both Session Management
• Personalization of website experience
• Every cookie can be examined, sometimes by 3rd party
• A cookie can be set on a client’s end autonomously, via malware
• Securing a cookie:
• Cookie theft or hijacking
• Cookie theft: Cookie theft occurs when a third party copies unencrypted session data and uses it to impersonate the real
user. Cookie theft most often occurs when a user accesses trusted sites over an unprotected or public Wi-Fi network.
Although the username and password for a given site will be encrypted, the session data traveling back and forth (the
cookie) is not.

• possibility of malicious posts via your SM account if someone gets your cookie
• By mimicking a person’s cookie over the same network, a hacker can access sites and perform malicious actions. Depending
on the sites accessed while the hacker is monitoring the network, this could be anything from making false posts in that
individual’s name to transferring money out of a bank account
• Therefore, accessing using the HTTPS protocol even for non-financial activity
• Cookie theft can be avoided by only logging in over SSL connections or employing HTTPS protocol to encrypt the connection.
Otherwise, it is best not to access sites over unsecured networks.
 3rd Party Cookies and the issues with them
• The 3rd party here is advertising company or engagement vendor
• A third-party cookie is one that is placed on a user's hard disk by a Web site from a domain other than the one a user is visiting. ... Blocking third-party cookies does not create
login issues on websites (which can be an issue after blocking first-party cookies) and may result in seeing fewer ads on the Internet.
• ‘Same Origin Policy’ can be turned on in many browsers
• The same-origin policy is an important concept in the web application security model. Under the policy, a web browser permits scripts contained in a first web page to access data
in a second web page, but only if both web pages have the same origin.
• An origin is defined as a combination of URI scheme, host name, and port number. This policy prevents a malicious script on one page from obtaining access to sensitive data on
another web page through that page's Document Object Model
• It is very important to remember that the same-origin policy applies only to scripts. This means that resources such as images, CSS, and dynamically-loaded scripts, can be accessed
across origins via the corresponding HTML tags[
• Interest-based Advertising or Online Behavioural Advertising
• Online advertising is a marketing strategy that involves the use of the Internet as a medium to obtain website traffic and target and deliver marketing messages to the right
customers. Online advertising is geared toward defining markets through unique and useful applications.
• Examples of online advertising include banner ads, search engine results pages, social networking ads, email spam, online classified ads, pop-ups, contextual ads and spyware.
• Online behavioral advertising (aka "OBA") describes a broad set of activities companies engage in to collect information about your online activity (like webpages you visit) and use
it to show you ads or content they believe to be more relevant to you.
• these companies identify you by a random ID number and try to make guesses about your interests and characteristics based on your online activity. The data they retain could
include:
• Your inferred age group (e.g. 18-25)
• Your inferred gender (e.g. male)
• Your inferred purchase interests (e.g. shoes)
• To avoid ‘man-in-the-middle’ stealing a cookie:

• A MITM attack happens when a communication between two systems is intercepted by an outside entity. This can happen in any form of online communication, such as email, social media,
web surfing, etc. Not only are they trying to eavesdrop on your private conversations, they can also target all the information inside your devices.Cookie-based transfers may be encrypted,
in many cases
• Subdomains and cookie-related invasions (2015)
• Cookies and their links to Social Networks, and why the most secure SN is already shuttered How Online Trackers and Social Networks are hand-in-glove, 2009
Alternatives to Cookies
• Apple’s IDFA, used for (proposed) advertisement delivery vertical iAd
• iAd is recognized in a Harvard Law School blog about secure ‘AdTech’
• iAd is a discontinued mobile advertising platform developed by Apple Inc. for its iPhone, iPod Touch, and iPad line of mobile devices allowing third-party developers to
directly embed advertisements into their applications.
• IDFA is the abbreviation for identifier for advertisers on iPhones. An Apple IDFA is somewhat analogous to an advertising cookie, in that it enables an advertiser to
understand that a user of a particular phone has taken an action like a click or an app install
• The Identifier for Advertisers (known as the IDFA) is a random device identifier assigned by Apple to a user’s device. Advertisers use this identifier to
track data so they can deliver customized advertising.
• The IDFA reveals no personal information. Instead, it’s used for tracking and identifying a user, which then allows advertisers to access aggregated
data which can be used to discover information – such as which in-app events they trigger.

• Does targeted advertising have to be viewed more favourably than Brand ?

• Apple's Content Blocking is Chemo for the Cancer of 'Ad Tech' 26 Aug 2015
• Many calculations aren’t accurate if users delete cookies
• Clickstream analysis, Conversion rates etc.
• Close to 20-30% users are deleting cookies, many programmatically
• On a Web site, clickstream analysis (also called clickstream analytics) is the process of collecting, analyzing and reporting aggregate data about which
pages a website visitor visits -- and in what order. The path the visitor takes though a website is called the clickstream
• URLs, IP Addresses etc. are all alternatives – but with own problems
• In contrast to Apple, Google removes ‘Adblock’ App from Playstore:
• Google removes AdBlock Plus, Mar 2013, and other wannabes, Feb 2016
Interest-based Advertising

• “interest-based advertising is the workhorse for subsidizing content on the Internet”

• Interest-Based Advertising is a form of Behavioral advertising, which has become very popular recently. Rather than
select websites or web pages to display ads on, you select website visitors who have certain characteristics based on online
browsing behavior.
• So with Behavioral or Interest-Based advertising you’re targeting individual visitors of websites. This is like buying a billboard ad
that only displays your ad when your ideal prospect is walking or driving by.
• It allows you to forget about choosing the websites and pages to display your products on, but rather show them to the users who
have certain characteristics based on online browsing behavior.
• With interest-based advertising, you are not chasing blind with hope to attract a potential customer, but targeting directly to
interested visitors of websites.
• Ad impression based on a cookie is 3x more valuable than without
• Some commonality here with the Net Neutrality debate
• Cookie Ads pay, but privacy regulation is snapping at heels, Feb 2014
• Many sites like Twitter, Facebook etc. permit interest-based Ads
• Cookie-based Targeting Vs ID-based Targeting
• Cookie targeting is about devices, while ID targeting is about people, providing better control for advertisers and allowing for
realistic frequency caps and better attribution modeling
• Reading Assignment for next class: How FB changed its cookie policy
Cookie Targeting Is About Devices
Cookie targeting is about devices, while ID targeting is about people,
providing better control for advertisers and allowing for realistic frequency
caps and better attribution modeling.
The real issue, however, involves the multitude of devices that one person
uses through the day. A single person could have a separate work PC, a home
PC, a tablet, a mobile phone, and a smart TV (likely at minimum). These
myriad users and devices create a disjointed landscape for users and
advertisers, cause wasted spend and make it extremely difficult to measure
performance or create a proper attribution path.
ID Targeting Is About People
Targeting by IDs is different, however. If a user visits your website, and the
site has implemented the appropriate retargeting code, Twitter and
Facebook can identify that user’s ID. If the user leaves without making a
purchase or completing a desired action, they will be served an ad on
Facebook or Twitter. That ad could be served on a desktop, iPhone, tablet, or
any device as long as the user is logged in to the same account across all
devices. It creates a more consistent and relevant experience for the user. It
also provides better control for advertisers, allowing for realistic frequency
caps and better attribution modeling.
Economics of cookie-matching, Ghosh, 2012
• ‘Cookie Matching’ is a method by which Ad Exchanges scramble the 3rd-
party cookies, which they succeeded in setting at client’s end
• Cookie matching is a way for bidders on an ad exchange to know if they
have had an initial contact with an individual related to a bid request
send by the ad exchange without needing pixel piggy backing.
• They present this, in RT, to advertisers who check the non-PIN details of the
cookie to decide if they wish to bid (maybe for Re-Targeting)
• An example of an Ad Auction
• Ad Exchange represents a publisher here, faces information leakage
• Targeted Advertising comes with a dilemma for publishers/Ad-Exch:
• Efficient Allocation means low revenue, esp. in Second-price Auctions
• However, in equilibrium, information leakage doesn’t dip revenues.
Does Google AdSense use Cookies ?
• Short Answer: yes, it does
• The specific type of cookie is known as a ‘DoubleClick Cookie’
• An online publisher can set a Doubleclick cookie to tell them what sections of their sites you are browsing.
Doubleclick will then judge the type of adverts you might like to see from what you're browsing. For
example, if you are on a news website and you visit the sports pages, then adverts for match tickets may be
more relevant than makeup. This information belongs to the website owner only.
• Targeting in advertising networks: Google runs a service called Adsense, in which lots of different publishers
pool the information they get on browsers. This helps them build up a better idea of the type of adverts
someone might want to see. This is a third-party advertising cookie.
• ‘Partner Websites’ participate in Google’s Ad Network AdSense
• Eg. WordPress blogs
• These partner websites can access ancillary services eg Google Analytics
• An EU End-User Consent policy is now compulsory for AdSense
• Has been replaced by a stronger GDPR policy
• Asking User Consent itself is a popup ! Quite unpopular for many
Use of the second-price auction in Re-Target
• A 2010 example of AdExchanger.com and a retargeting campaign
• What does a display advertising campaign look like ?
• A static bid of ‘$20 CPM’ – high, if looked at in isolation
• But low since this is a second-price auction
• Amazon, Flipkart etc. perform ‘direct response re-targeting’
• Frequency Cap, Recency, Membership duration all of segment value
• Suggested Reading: Part-2 of the article linked above
• Challenge: can we craft a retargeting campaign ?
• First-Price Auction – Digital buying model where if your bid wins, you
pay exactly what you bid. This maximizes revenue potential for the
seller.
• Second-Price Auction – Digital buying model where if your bid wins,
you pay $0.01 above the second highest bid in the auction. In this
type of auction, it is in your best interest to bid the highest amount
you are willing to pay, knowing that often you will end up paying less
than that amount.
The future of Cookies
• AdTech has been credited with keeping the Internet ‘Alive and Free’
• Cookies are under threat, advertising on mobile is very app-based
• A new model is likely to emerge – a new Ad-tracking system has to
emerge at one of the four layers:
• Operating System
• Browser
• ISP
• Social, Search, or Ad-Exchange
• Google creating an IDFA will have high monopoly power
• When Cookies Go Away, VentureBeat, 2013